America’s Upside Down Cyber-Priorities

The government’s cyber-priorities are backwards. It has chosen bits over bodies, defending the virtual world of ones and zeroes more than the real world of people and homeland security.

Through its deeds, it has prioritized net neutrality openness to the detriment of cybersecurity and a more secure Internet.

As a result, Americans, American businesses, and America, are less safe and secure today and tomorrow than they could or should be.

Many Americans have heard much more from the U.S. Government about what it’s doing to protect against the potential for Internet traffic discrimination by American ISPs under the banner of “net neutrality,” than they have heard about what it is doing to protect Americans, businesses, and the homeland from actual foreign and domestic bad actors, attacks and breaches.

The FCC is the poster child of the U.S. government’s upside-down cyber priorities.

The FCC’s over-riding priority has been protecting their authority and relevance by insisting that threats to net neutrality, the cyber-utopian principle that “all bits are created equal,” are so severe that the FCC must regulate the Internet’s economics to protect bits from discrimination.

In November, President Obama gave a net neutrality speech in which he publicly called for the FCC to “implement the strongest possible rules to protect net neutrality” and urged the FCC to assert Depression-era, Title II telephone price regulation authority over the Internet, which the FCC dutifully implemented in February.

In geek-speak, net neutrality openness is about the government forcing America’s trillion-dollar, privately-built, Internet infrastructure to become a dumb network, rather than a smart network with more inherent cybersecurity capability.
Perfectly dumb and “neutral” networks only route traffic to its destination without any private network management to alleviate congestion; traffic prioritization for quality of service or emergency services; or common sense cybersecurity measures to filter out spam, viruses, malware, botnets, and denial of service attacks.

In banning any blocking and throttling of Internet traffic and requiring maximal Internet traffic transparency, the FCC has created a very hostile environment for discussing legitimate cybersecurity measures in public.

Also, the FCC’s guilty until proven innocent enforcement approach to net neutrality forces companies to err on the side of openness rather than cybersecurity.

In demonizing any private management of Internet traffic as an anti-competitive violation of net neutrality, openness, and freedom of speech, the FCC ironically has chilled necessary public debate about the dire national need to strengthen cybersecurity.

Consider the appalling evidence that cybersecurity has been a relatively low U.S. government priority over the last six years.

This month, Russian hackers reportedly hacked into the Department of Defense, Joint Chiefs of Staff unclassified email system for over four thousand accounts.

This summer, we learned Chinese hackers broke into the U.S. Office of Personnel Management and stole the security clearance files for over twenty million Federal employees and contractors done over the last thirty years.

This February, Anthem suffered a data breach of 80 million personal and medical records.

In 2014, the North Koreans reportedly hacked into Sony’s corporate servers and leaked damaging corporate information; and Home Depot suffered a criminal breach of 56 million credit card numbers.

In 2013, NSA contractor Edward Snowden leaked thousands of the NSA’s most sensitive national security documents; Adobe had 130 million user records stolen; and Target had 40 million credit card numbers stolen.

In 2012, NSA Director Keith B. Alexander called cybercrime against U.S. corporations “the greatest transfer of wealth in history.”

In 2011, Google reported Chinese hackers gained access to hundreds of Gmail accounts of senior U.S. Government officials and military personnel, including one cabinet official.

In 2010, Google announced it had been hacked by the Chinese, and according to the New York Times, the hackers had access to Google’s servers for at least a year and were able to steal Google’s entire password system.

During all this national cyber mayhem, how could net neutrality openness remain the U.S. Government’s apparent highest cyber priority?

How come no one in the U.S. Government has said enough is enough, and called for “the strongest possible” cybersecurity measures?

The apparent reason is that the U.S. Government has adopted a defeatist cybersecurity attitude.

Current NSA Director Mike Rogers publicly warned America after the OPM breach this summer that “We are in a world now where, despite your best efforts, you must prepare and assume that you will be penetrated… It is not about if you will be penetrated, but when.”

How did America’s cyber policy get so defeatist that the U.S. Government is effectively telling America that it can it can no longer reliably protect its citizens, employees, businesses, sovereignty, or national secrets from foreign enemies or criminals?

This travesty happened, at least in part, because the U.S. government has politically prioritized extreme net neutrality openness over common sense, smart network, cyber security.

The U.S. government’s upside-down cyber priorities are a systemic risk. That’s because the U.S. government continues to chase a solution in search of a problem, net neutrality, at the expense of a real and serious problem, the homeland’s cyber insecurity.